Hi, i successfully set up guacamole with authenticating against ldap (active directory), also the connection configuration is provided by ldap... everything is working as expected.
i now played a bit with openid (keycloak) and was wondring if it's possible to use openid connect authentication and also get the connection configuration from ldap... because from the documentation its not clear to me, it says: ``` This module must be layered on top of other authentication extensions that provide connection information, such as the database authentication extension, as it only provides user authentication ``` from my understanding the ldap module provides connection information, but i cant get it working. i can successfully authenticate against openid (keycloak) and i get redirected to the guacamole page, but i cant see any connections. the log shows the exact same 'successfully authenticated' message when logging in with openid and ldap: ``` INFO o.a.g.r.auth.AuthenticationService - User "testuser" successfully authenticated from [192.168.124.1, 10.88.0.1]. ``` but ldap only authentication also has the following log messages: ``` INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.18060.0.0.1) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.7) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.2) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.319) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.3) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.18) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.473) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.474) INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.10.1) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.18060.0.0.1) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.7) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.2) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.319) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.3) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.18) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.473) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.474) INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.10.1) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.2239) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.417) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.528) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.1413) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.3) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.1) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.2) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.1.21.2) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.9) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.10) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.8) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.8) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.3) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.5) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.3) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20036) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.1) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20037) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.1) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.6) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.3) INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06002_REGISTERED_INTERMEDIATE_FACTORY (1.3.6.1.4.1.4203.1.9.1.4) INFO o.a.g.r.auth.AuthenticationService - User "testuser" successfully authenticated from [192.168.124.1, 10.88.0.1]. ``` my test setup looks like this (IPs are currently all manually searched and set...) : # AD is set up using vagrant (https://github.com/maennlse/vagrant-guac-ad) # podman create pod `podman pod create --name test --share cgroup,ipc,uts` # keycloak container: `podman run -d --rm -p 8180:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e PROXY_ADDRESS_FORWARDING=true --name keycloak --pod test jboss/keycloak` # guacamole container (guacamole-auth-openid-1.1.0.jar patched with https://github.com/apache/guacamole-client/commit/0344ef30e45954d1252d44b9826c7eedad8b02f3) `podman run -dt --rm --name guacamole --pod test -v /vagrant/guacamole-auth-openid-1.1.0.jar:/opt/guacamole/openid/guacamole-auth-openid-1.1.0.jar:ro,Z -v /etc/pki/ca-trust/extracted/java:/etc/ssl/certs/java:ro,Z -e OPENID_AUTHORIZATION_ENDPOINT="http://192.168.124.160/auth/realms/master/protocol/openid-connect/auth"; -e OPENID_JWKS_ENDPOINT="http://192.168.124.160/auth/realms/master/protocol/openid-connect/certs"; -e OPENID_ISSUER="http://192.168.124.160/auth/realms/master"; -e OPENID_CLIENT_ID="guacamole" -e OPENID_REDIRECT_URI="http://192.168.124.160/guacamole/"; -e OPENID_USERNAME_CLAIM_TYPE="preferred_username" -e OPENID_SCOPE="openid email username profile" -e OPENID_ALLOWED_CLOCK_SKEW=500 -e LDAP_HOSTNAME="dc01" -e LDAP_PORT=389 -e LDAP_ENCRYPTION_METHOD=none -e LDAP_SEARCH_BIND_DN="cn=guac,cn=users,DC=boxes,DC=test" -e LDAP_SEARCH_BIND_PASSWORD="P@ssW0rD!" -e LDAP_USERNAME_ATTRIBUTE="samaccountname" -e LDAP_USER_BASE_DN="cn=users,DC=boxes,DC=test" -e LDAP_GROUP_BASE_DN="ou=groups,DC=boxes,DC=test" -e LDAP_CONFIG_BASE_DN="ou=configs,DC=boxes,DC=test" -e GUACD_HOSTNAME="10.88.0.12" -p 8080:8080 guacamole/guacamole` # guacd `podman run -dt --rm --name guacd --pod guac guacamole/guacd` # nginx 'port wrapper' ``` server { listen 80 default_server; listen [::]:80 default_server; server_name guacamole; location /guacamole/ { proxy_pass http://localhost:8080/guacamole/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_cookie_path /guacamole/ /guacamole/; access_log off; } location / { proxy_pass http://localhost:8180/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; } } ``` i am afraid that the openid extension probably does not work with ldap configuration, but i hope its just a missconfiguration on my site... ;) so any help/information is appreciated. thanks. Sebastian
